IP aliases, effect on security?

Ron Wickersham rjw at alembic.com
Wed Feb 12 01:37:47 PST 2003




On Wed, 12 Feb 2003, Daniel Smith wrote:

---snip---

> It's just a 1U Pengiun Computing Relion, running a few IP addresses
> - yep, they will be from the same Class C range.
> I'll only use 1 ethernet controller, although it has two.
> I have a few domains to hit off of Apache (VirtualServer).
> Nothing will be hanging off of the box (i.e. it's a dead-end, no need
> to route anything).  Just need http/s and ssh.
> 
> Come to think of it, there's no reason to have SSH exposed to
> more than one IP.
> 
> Perhaps another way to approach the question is: what other
> method is worth considering for hosting a few web sites (different
> domains, all standard port 80) off of one box?

hi Daniel,

the method you're describing with separate ip addresses bound to a single
interface and then each ip address running a separate domain under a
single instance of Apache is indeed called virtual hosting.  this method
was necessary under HTTP 1.0 and each domain required its own ip address.
dns was used to deliver the separate ip addresses and Apache (or the
unpatched NCSA server) would deliver the appropriate web pages for each
domain.  the browser made a simple request to the ip address with only
/ or the name of the page if known.

HTTP was extended to 1.1 and you are now able to use a single ip address
for many different domains.  of course the browser has to be capable of
HTTP/1.1 and virtually every one now running is so able, the facility 
having been added in Netscape 2.  this method is called name virtual 
hosting.  with this method, dns is set up one each domain to point to
the same ip address.  the browser will still look up the ip address
and send the request to port 80 on the web server.  but in addition to
the page request, the browser will add a host: request.  in this manner
Apache will know to which domain the request is being made for.  the
httpd.conf file is very similar to ip based virtual hosting but there
is a line preceeding each VirtualHost section with NameVirtualHost
and the numeric ip address.   (well you can use a domain name and let
dns do the lookup, but that is not preferred since it breaks if for
any reason dns does not resolve while apache is booting)   check out
the Apache configuration pages where they have examples of the options
for NameVirtualHosting.  you can separate the log files for each
domain or keep them in a signle log file, all the virtual host options
for cgi-bin and .htaccess can be handled separately for each domain, etc.

-ron





More information about the talk mailing list